Skip to content

Commit 8fd6800

Browse files
chkp-ofirschkp-ofirs
authored
Merge pull request #84 from Botinoc/dev
Cisco fix: optimize MatchNATRulesIntoFirewallPolicy the MatchNATRulesIntoFirewallPolicy() function process has been threaded for all _cpNatRules During threads, no data is changed, and new rules are added to a separate array and after the completion of the threads, new rules from the array(duplicates are removed) are added
2 parents 53aec53 + 6ce90c8 commit 8fd6800

File tree

1 file changed

+264
-0
lines changed

1 file changed

+264
-0
lines changed

CiscoMigration/CiscoConverter.cs

Lines changed: 264 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5051,7 +5051,268 @@ private void CreateNATRulebase()
50515051
}
50525052
}
50535053

5054+
public class CheckPoint_Rule_With_SubPoliciesIndex
5055+
{
5056+
public int SubPoliciesIndex;
5057+
public CheckPoint_Rule CheckPoint_Rule;
5058+
5059+
public CheckPoint_Rule_With_SubPoliciesIndex(int SubPoliciesIndex, CheckPoint_Rule CheckPoint_Rule)
5060+
{
5061+
this.SubPoliciesIndex = SubPoliciesIndex;
5062+
this.CheckPoint_Rule = CheckPoint_Rule;
5063+
}
5064+
}
50545065
private void MatchNATRulesIntoFirewallPolicy()
5066+
{
5067+
CheckPoint_Package cpPackage = _cpPackages[0];
5068+
int index = 0;
5069+
5070+
List<CheckPoint_Rule_With_SubPoliciesIndex> newRules = new List<CheckPoint_Rule_With_SubPoliciesIndex>();
5071+
5072+
List<Thread> threads = new List<Thread>();
5073+
5074+
5075+
foreach (CheckPoint_NAT_Rule cpNatRule in _cpNatRules)
5076+
{
5077+
void SubMatchNATRulesIntoFirewallPolicy()
5078+
{
5079+
5080+
if (!cpNatRule.Enabled)
5081+
{
5082+
return;
5083+
}
5084+
5085+
var ciscoNatCustomData = ((CiscoNatCustomData)cpNatRule.VendorCustomData);
5086+
5087+
// For example, NAT section #4 rule...
5088+
if (cpNatRule.TranslatedSource == null && cpNatRule.TranslatedDestination == null)
5089+
{
5090+
return;
5091+
}
5092+
5093+
// Skip dynamic object-NAT rules
5094+
if (ciscoNatCustomData.IsObjectNatRule && cpNatRule.Method == CheckPoint_NAT_Rule.NatMethod.Hide)
5095+
{
5096+
return;
5097+
}
5098+
5099+
// Skip dynamic manual-NAT rules
5100+
if (!ciscoNatCustomData.IsObjectNatRule && cpNatRule.Method == CheckPoint_NAT_Rule.NatMethod.Hide && cpNatRule.TranslatedDestination == null)
5101+
{
5102+
return;
5103+
}
5104+
5105+
// Skip static NAT mirrored rules
5106+
if (ciscoNatCustomData.IsStaticMirrorRule)
5107+
{
5108+
return;
5109+
}
5110+
5111+
// Skip Non-NAT rules (only twice-NAT: SourceId == TranslatedSourceId && DestinationId == TranslatedDestinationId)
5112+
if (ciscoNatCustomData.IsNonNatRule)
5113+
{
5114+
return;
5115+
}
5116+
5117+
string natRuleInterface1 = (ciscoNatCustomData.Interface1 != CiscoCommand.Any) ? (CiscoCommand.InterfacePrefix + ciscoNatCustomData.Interface1) : ciscoNatCustomData.Interface1;
5118+
string natRuleInterface2 = (ciscoNatCustomData.Interface2 != CiscoCommand.Any) ? (CiscoCommand.InterfacePrefix + ciscoNatCustomData.Interface2) : ciscoNatCustomData.Interface2;
5119+
5120+
foreach (CheckPoint_Rule cpParentRule in cpPackage.ParentLayer.Rules)
5121+
{
5122+
if (cpParentRule.Action != CheckPoint_Rule.ActionType.SubPolicy)
5123+
{
5124+
continue;
5125+
}
5126+
5127+
if (cpParentRule.Source[0] is CheckPoint_PredifinedObject && cpParentRule.Source[0].Name.Equals(CheckPointObject.Any))
5128+
{
5129+
if (cpParentRule.SubPolicyName != GlobalRulesSubpolicyName)
5130+
{
5131+
continue;
5132+
}
5133+
}
5134+
5135+
CheckPoint_Zone parentLayerRuleZone = new CheckPoint_Zone();
5136+
if (cpParentRule.SubPolicyName == GlobalRulesSubpolicyName)
5137+
{
5138+
parentLayerRuleZone.Name = "any";
5139+
}
5140+
else
5141+
{
5142+
parentLayerRuleZone = (CheckPoint_Zone)cpParentRule.Source[0];
5143+
}
5144+
5145+
// NAT rule interfaces should match on firewall rule interfaces (zones)
5146+
if (natRuleInterface1 != CiscoCommand.Any && natRuleInterface1 != parentLayerRuleZone.Name &&
5147+
natRuleInterface2 != CiscoCommand.Any && natRuleInterface2 != parentLayerRuleZone.Name)
5148+
{
5149+
continue;
5150+
}
5151+
int SubPoliciesIndex = -1;
5152+
// Get into the relevant sub-policy
5153+
foreach (CheckPoint_Layer subPolicy in cpPackage.SubPolicies)
5154+
{
5155+
SubPoliciesIndex++;
5156+
if (subPolicy.Name != cpParentRule.SubPolicyName)
5157+
{
5158+
continue;
5159+
}
5160+
5161+
for (int ruleNumber = 0; ruleNumber < subPolicy.Rules.Count; ruleNumber++)
5162+
{
5163+
var cpRule = subPolicy.Rules[ruleNumber];
5164+
5165+
// Do not match on cleanup rule
5166+
if (cpRule.IsCleanupRule())
5167+
{
5168+
continue;
5169+
}
5170+
5171+
// Do not match if rule's destination is 'any'
5172+
if (cpRule.Destination.Count == 1)
5173+
{
5174+
string destinationName = cpRule.Destination[0].Name;
5175+
if (destinationName == CheckPointObject.Any)
5176+
{
5177+
continue;
5178+
}
5179+
5180+
if (destinationName.StartsWith(CiscoCommand.InterfacePrefix))
5181+
{
5182+
// get Cisco interface object
5183+
var ciscoInterface = (Cisco_Interface)_ciscoParser.GetCommandByCiscoId(destinationName);
5184+
if (ciscoInterface != null && (ciscoInterface.LeadsToInternet || ciscoInterface.SecurityLevel == 0))
5185+
{
5186+
continue;
5187+
}
5188+
}
5189+
}
5190+
5191+
CheckPointObject newRuleDest = null;
5192+
bool serviceMatchedToo = false;
5193+
5194+
//dont't check added matched NAT rules
5195+
if (!cpRule.ConversionComments.StartsWith("Matched NAT rule") && IsFirewallRuleMatchedByNATRule(parentLayerRuleZone, cpNatRule, cpRule, out newRuleDest, out serviceMatchedToo))
5196+
{
5197+
string translatedSourceName = (cpNatRule.TranslatedSource != null) ? cpNatRule.TranslatedSource.Name : "original";
5198+
string translatedDestName = (cpNatRule.TranslatedDestination != null) ? cpNatRule.TranslatedDestination.Name : "original";
5199+
string translatedServiceName = (cpNatRule.TranslatedService != null) ?
5200+
cpNatRule.TranslatedService.Name : (cpNatRule.Service != null ? cpNatRule.Service.Name : "");
5201+
5202+
var newRule = new CheckPoint_Rule();
5203+
5204+
newRule.Enabled = cpRule.Enabled;
5205+
//if (!cpRule.Enabled)
5206+
//{
5207+
// NewCiscoAnalizStatistic._disabledServicesRulesCount++;
5208+
//}
5209+
5210+
if (!cpRule.Track.Equals(TrackTypes.Log))
5211+
{
5212+
NewCiscoAnalizStatistic._nonServicesLoggingServicesRulesCount++;
5213+
}
5214+
newRule.Source.AddRange(cpRule.Source);
5215+
newRule.Destination.Add(newRuleDest);
5216+
if (serviceMatchedToo)
5217+
{
5218+
newRule.Service.Add(_cpObjects.GetObject(translatedServiceName));
5219+
}
5220+
else
5221+
{
5222+
newRule.Service.AddRange(cpRule.Service);
5223+
}
5224+
newRule.Time.AddRange(cpRule.Time);
5225+
if (cpRule.Time.Count > 0 && !cpRule.Time.First().Name.Equals("Any"))
5226+
{
5227+
NewCiscoAnalizStatistic._timesServicesRulesCount++;
5228+
}
5229+
newRule.Action = cpRule.Action;
5230+
newRule.Layer = subPolicy.Name;
5231+
newRule.ConvertedCommandId = cpNatRule.ConvertedCommandId;
5232+
newRule.ConversionIncidentType = (cpRule.ConversionIncidentType != ConversionIncidentType.None) ? cpRule.ConversionIncidentType : cpNatRule.ConversionIncidentType;
5233+
if (serviceMatchedToo)
5234+
{
5235+
translatedServiceName = (cpNatRule.TranslatedService != null) ? cpNatRule.TranslatedService.Name : "original";
5236+
newRule.ConversionComments = "Matched NAT rule ((" + cpNatRule.ConvertedCommandId + ") translated source: " + translatedSourceName + ", translated dest: " + translatedDestName + ", translated service: " + translatedServiceName + ")";
5237+
}
5238+
else
5239+
{
5240+
newRule.ConversionComments = "Matched NAT rule ((" + cpNatRule.ConvertedCommandId + ") translated source: " + translatedSourceName + ", translated dest: " + translatedDestName + ")";
5241+
}
5242+
5243+
//don't add duplicated rules
5244+
bool ruleIsAlreadyAdded = false;
5245+
foreach (var rule in subPolicy.Rules)
5246+
{
5247+
if (newRule.CompareTo(rule))
5248+
{
5249+
ruleIsAlreadyAdded = true;
5250+
break;
5251+
}
5252+
}
5253+
5254+
// Add a new rule ABOVE the matched rule.
5255+
if (!ruleIsAlreadyAdded)
5256+
{
5257+
//subPolicy.Rules.Insert(ruleNumber, newRule);
5258+
newRules.Add( new CheckPoint_Rule_With_SubPoliciesIndex(SubPoliciesIndex: SubPoliciesIndex, CheckPoint_Rule: newRule));
5259+
}
5260+
5261+
if (newRule.ConversionIncidentType != ConversionIncidentType.None)
5262+
{
5263+
cpPackage.ConversionIncidentType = ConversionIncidentType.Informative;
5264+
}
5265+
5266+
// If NAT rule's service is "any" (null), we need to keep matching for all relevant FW rules.
5267+
if (serviceMatchedToo)
5268+
{
5269+
break;
5270+
}
5271+
}
5272+
}
5273+
}
5274+
}
5275+
}
5276+
if (index % 100 == 0)
5277+
{
5278+
foreach (Thread t in threads)
5279+
{
5280+
if (t.IsAlive)
5281+
t.Join();
5282+
}
5283+
}
5284+
index++;
5285+
Thread thread = new Thread(SubMatchNATRulesIntoFirewallPolicy);
5286+
threads.Add(thread);
5287+
thread.Start();
5288+
}
5289+
foreach (Thread t in threads)
5290+
{
5291+
if (t.IsAlive) t.Join();
5292+
}
5293+
5294+
//remove duplicates
5295+
for (int ruleNumber = 0; ruleNumber < newRules.Count; ruleNumber++)
5296+
{
5297+
for (int ruleNumber2 = 0; ruleNumber2 < newRules.Count; ruleNumber2++)
5298+
{
5299+
if ( newRules[ruleNumber].CheckPoint_Rule.CompareTo(newRules[ruleNumber2].CheckPoint_Rule) && ruleNumber != ruleNumber2 && newRules[ruleNumber].SubPoliciesIndex == newRules[ruleNumber2].SubPoliciesIndex)
5300+
{
5301+
5302+
newRules.Remove(newRules[ruleNumber2]);
5303+
}
5304+
}
5305+
}
5306+
foreach (CheckPoint_Rule_With_SubPoliciesIndex rule in newRules)
5307+
{
5308+
cpPackage.SubPolicies[rule.SubPoliciesIndex].Rules.Add(rule.CheckPoint_Rule);
5309+
}
5310+
5311+
}
5312+
5313+
///if have some problem with MatchNATRulesIntoFirewallPolicy, then remove current MatchNATRulesIntoFirewallPolicy and uncomment old MatchNATRulesIntoFirewallPolicy
5314+
/*
5315+
private void MatchNATRulesIntoFirewallPolicy()
50555316
{
50565317
CheckPoint_Package cpPackage = _cpPackages[0];
50575318
@@ -5255,6 +5516,9 @@ private void MatchNATRulesIntoFirewallPolicy()
52555516
}
52565517
}
52575518
}
5519+
*/
5520+
5521+
52585522

52595523
/// <summary>
52605524
/// !!! This method's logic follows the instructions from the "NAT rules matching FlowChart.vsd" document !!!

0 commit comments

Comments
 (0)